claw/flaskpaste
1
0
Fork 1
forked from username/flaskpaste
Code Pull Requests Activity

tests: fix ruff lint errors in security tests

Browse Source
This commit is contained in:
Username
2026-01-18 10:04:27 +01:00
parent 661dab4a81
commit 97bf955820
5 changed files with 19 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
tests/security/cli_security_audit.py
View File

@@ -10,7 +10,7 @@ from pathlib import Path
# Load fpaste as a module by exec
fpaste_path = Path("/home/user/git/flaskpaste/fpaste")
fpaste_globals = {"__name__": "fpaste", "__file__": str(fpaste_path)}
exec(compile(fpaste_path.read_text(), fpaste_path, "exec"), fpaste_globals)
exec(compile(fpaste_path.read_text(), fpaste_path, "exec"), fpaste_globals) # noqa: S102
# Import from loaded module
TRUSTED_CLIPBOARD_DIRS = fpaste_globals["TRUSTED_CLIPBOARD_DIRS"]
@@ -39,10 +39,10 @@ def test_trusted_path_validation():
# Test untrusted paths
untrusted_tests = [
("/tmp/xclip", False, "tmp directory"),
("/tmp/xclip", False, "tmp directory"), # noqa: S108
("/home/user/bin/xclip", False, "user bin"),
("./xclip", False, "current directory"),
("/var/tmp/malicious", False, "var tmp"),
("/var/tmp/malicious", False, "var tmp"), # noqa: S108
("/home/attacker/.local/bin/xclip", False, "user local"),
]
@@ -64,7 +64,7 @@ def test_path_injection():
print("=" * 50)
# Create a malicious "xclip" in /tmp
malicious_path = Path("/tmp/xclip")
malicious_path = Path("/tmp/xclip") # noqa: S108
try:
malicious_path.write_text("#!/bin/sh\necho 'PWNED' > /tmp/pwned\n")
malicious_path.chmod(0o755)
@@ -73,7 +73,7 @@ def test_path_injection():
original_path = os.environ.get("PATH", "")
# Prepend /tmp to PATH (attacker-controlled)
os.environ["PATH"] = f"/tmp:{original_path}"
os.environ["PATH"] = f"/tmp:{original_path}" # noqa: S108
# Try to find clipboard command
cmd = find_clipboard_command(CLIPBOARD_READ_COMMANDS)
@@ -86,7 +86,7 @@ def test_path_injection():
return True
# Check if it's using the malicious path
if cmd[0] == str(malicious_path) or cmd[0] == "/tmp/xclip":
if cmd[0] == str(malicious_path) or cmd[0] == "/tmp/xclip": # noqa: S108
print(" FAIL: Malicious /tmp/xclip was selected!")
print(f" Command: {cmd}")
return False
@@ -125,9 +125,9 @@ def test_subprocess_safety():
# Check subprocess.run uses list
run_calls = re.findall(r"subprocess\.run\(([^)]+)\)", content)
for call in run_calls:
if not call.strip().startswith("[") and not call.strip().startswith("cmd"):
if "cmd" not in call: # Allow variable names like 'cmd'
issues.append(f"Possible string command in subprocess.run: {call[:50]}")
stripped = call.strip()
if not stripped.startswith("[") and not stripped.startswith("cmd") and "cmd" not in call:
issues.append(f"Possible string command in subprocess.run: {call[:50]}")
if issues:
for issue in issues:

2
tests/security/dos_memory_test.py
View File

@@ -31,7 +31,7 @@ def test_antiflood_memory():
max_entries = app.config.get("ANTIFLOOD_MAX_ENTRIES", 10000)
print(f" Max entries config: {max_entries}")
for i in range(20000):
for _ in range(20000):
record_antiflood_request()
list_size = len(_antiflood_requests)

2
tests/security/headers_audit.py
View File

@@ -47,7 +47,7 @@ def run_audit():
results = {"passed": 0, "failed": 0, "warnings": 0}
for endpoint, method, expected_status in TEST_ENDPOINTS:
for endpoint, method, _expected_status in TEST_ENDPOINTS:
print(f"\n[{method} {endpoint}]")
print("-" * 40)

14
tests/security/pentest_session.py
View File

@@ -16,9 +16,9 @@ BASE_URL = "http://127.0.0.1:5099"
def request(url, method="GET", data=None, headers=None):
"""Make HTTP request."""
headers = headers or {}
req = urllib.request.Request(url, data=data, headers=headers, method=method)
req = urllib.request.Request(url, data=data, headers=headers, method=method) # noqa: S310
try:
with urllib.request.urlopen(req, timeout=30) as resp:
with urllib.request.urlopen(req, timeout=30) as resp: # noqa: S310
return resp.status, resp.read(), dict(resp.headers)
except urllib.error.HTTPError as e:
return e.code, e.read(), dict(e.headers)
@@ -86,7 +86,7 @@ def run_tests():
print("\n[Phase 1] Reconnaissance")
print("-" * 40)
status, body, headers = request(f"{BASE_URL}/")
status, body, _ = request(f"{BASE_URL}/")
log_test("GET / returns API info", status == 200)
status, body, _ = request(f"{BASE_URL}/health")
@@ -225,7 +225,7 @@ def run_tests():
status, body, _ = request(f"{BASE_URL}/", "POST", payload.encode(), pow_headers)
if status == 201:
data = json.loads(body)
status2, content, _ = request(f"{BASE_URL}/{data['id']}/raw")
_, content, _ = request(f"{BASE_URL}/{data['id']}/raw")
log_test("SSTI payload stored safely", b"49" not in content)
paste_ids.append(data["id"])
pow_headers = get_pow_headers()
@@ -233,7 +233,7 @@ def run_tests():
# XSS in content
xss_payload = b"<script>alert('xss')</script>"
pow_headers = get_pow_headers()
status, body, headers = request(f"{BASE_URL}/", "POST", xss_payload, pow_headers)
status, body, _ = request(f"{BASE_URL}/", "POST", xss_payload, pow_headers)
if status == 201:
data = json.loads(body)
status, content, resp_headers = request(f"{BASE_URL}/{data['id']}/raw")
@@ -261,11 +261,9 @@ def run_tests():
print("-" * 40)
# Make many rapid requests
hit_limit = False
for i in range(100):
for _ in range(100):
status, _, _ = request(f"{BASE_URL}/health")
if status == 429:
hit_limit = True
break
log_test("Rate limiting active on reads", True) # May or may not hit

4
tests/security/profiled_server.py
View File

@@ -14,8 +14,8 @@ from app import create_app
# Global profiler
profiler = cProfile.Profile()
profile_output = "/tmp/flaskpaste_profile.prof"
stats_output = "/tmp/flaskpaste_profile_stats.txt"
profile_output = "/tmp/flaskpaste_profile.prof" # noqa: S108
stats_output = "/tmp/flaskpaste_profile_stats.txt" # noqa: S108
def save_profile():